Audit Peer Review

Audit peer review is the internal quality assurance step performed by a smart contract audit firm before any finding reaches the client. It is the difference between a report full of well-justified, defensible findings and one cluttered with false positives that embarrass everyone involved.

How Audit Peer Review Works

After the primary researcher completes their manual review and documents each finding with a title, description, vulnerable code snippet, impact analysis, and proof of concept, the work goes to a second senior researcher inside the firm. The second researcher is typically uninvolved with the original engagement, which lets them read the findings fresh.

The peer reviewer is not just reading for typos. They are stress-testing the analytical claim behind each finding. They re-read the relevant code, they walk the exploit path independently, they verify the severity assignment matches the firm's audit severity matrix, and they push back on findings that do not hold up under scrutiny.

The result of this back-and-forth is either a confirmed finding that goes into the draft report, a downgraded finding where the severity was overstated, or a rejected finding that gets removed entirely. A meaningful percentage of initial findings are rejected or downgraded during peer review, which is exactly why peer review exists.

What Peer Review Catches

Peer review catches three categories of problems that the original researcher might miss.

First, false positives. The original researcher might flag a function as vulnerable based on a quick read of the code, only to miss a check elsewhere in the codebase that prevents the exploit. Peer review forces a second pass that often surfaces the mitigating control.

Second, severity inflation. Under deadline pressure, researchers sometimes assign Critical or High severity to findings that are actually Medium or Low when judged against the full impact-times-likelihood matrix. Peer review applies a more dispassionate calibration.

Third, missed context. A finding might be technically correct in isolation but irrelevant given the protocol's intended use. For example, a "centralization risk" finding may not apply to a protocol that openly markets itself as upgradeable and administered. Peer review provides the protocol-level perspective that the line-by-line reviewer can lose.

Why Cheap Firms Skip It

Peer review consumes senior researcher time, which is the most expensive resource in a security firm. A firm that runs lean economics will often skip peer review entirely, sending the primary researcher's draft directly to the client. The savings show up in lower pricing, and the cost shows up in client experience.

Reports without peer review tend to have more false positives, more inconsistent severity ratings across the same firm's portfolio of audits, and more findings that the protocol team has to rebut during a tense remediation phase. Each rebutted false positive damages trust in the audit and the firm.

How to Verify Peer Review Happens

When evaluating a firm, ask directly: "Is every finding peer-reviewed inside the firm before delivery?" Follow up with "By whom?" and "How many senior researchers do you have?" A firm that genuinely runs peer review can answer these questions with names and processes. A firm that does not will deflect or speak in generalities.

A serious firm will also describe a consistent severity framework. If different audits from the same firm use the same matrix and produce the same severity meanings, peer review is likely real. If severity ratings vary wildly across the firm's published reports, peer review is either missing or not working.